I think what "security service" asked is how to properly let (domain) administrators start and stop DLService. We have both the Domain Administrators and a lesser MIS group with Full Control in Computer Configuration -> Device Lock -> Service Options -> DeviceLock Administrators (in AD) and yet as part of the lesser group, I can't start or stop the service through the Services applet in the Control Panel. The same goes as if I log in with Domain administrators credentials. If I use "dlservice -e", I get "The process cannot access the file because it is being used by another process."

OK. With the default security, who has haccess? According to the manual, everyone who's a local administrator.

According to the manual on page 82, "When DeviceLock Security is enabled, no one except authorized users can connect to DeviceLock Service or stop and uninstall it." That's in the section of adding users or groups instead of relying on the "default". We have users with admin rights on their system.

DeviceLock Administrators is a complex defence mechanism which not only restricts local admins from changing service settings via a console but also restrics any access to the service itself and to the related registry information. Imagine the service is stopped when DeviceLock Administrators are in use; in this case there is no more defence of the service and the registry, since the service must be running to provide it. Hence it means that the Administrators feature is compromised. That is why there is no sense in your wishing DeviceLock Default Security to be off and the service to be stopped at the same time.

Roman Gaditskiy wrote:
DeviceLock Administrators is a complex defence mechanism which not only restricts local admins from changing service settings via a console but also restrics any access to the service itself and to the related registry information.

One last thing regarding the "dlservice -e", while a few machines I tested on allows the service to stop with this command, I had one case where it comes back with the message that the service can't be stopped because it's in use. What would cause this? A device attached to the system using DeviceLock?